diff options
4 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch new file mode 100644 index 0000000000..c3a5981488 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From da885fe1ee8b4589047484bd7fa05a4905b52b17 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Maydell <peter.maydell@linaro.org> | ||
3 | Date: Fri, 14 Dec 2018 13:30:52 +0000 | ||
4 | Subject: [PATCH] device_tree.c: Don't use load_image() | ||
5 | |||
6 | The load_image() function is deprecated, as it does not let the | ||
7 | caller specify how large the buffer to read the file into is. | ||
8 | Instead use load_image_size(). | ||
9 | |||
10 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
11 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | ||
12 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
13 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
14 | Reviewed-by: Eric Blake <eblake@redhat.com> | ||
15 | Message-id: 20181130151712.2312-9-peter.maydell@linaro.org | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | CVE: CVE-2018-20815 | ||
19 | affects <= 3.0.1 | ||
20 | |||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | device_tree.c | 2 +- | ||
25 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/device_tree.c b/device_tree.c | ||
28 | index 6d9c972..296278e 100644 | ||
29 | --- a/device_tree.c | ||
30 | +++ b/device_tree.c | ||
31 | @@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep) | ||
32 | /* First allocate space in qemu for device tree */ | ||
33 | fdt = g_malloc0(dt_size); | ||
34 | |||
35 | - dt_file_load_size = load_image(filename_path, fdt); | ||
36 | + dt_file_load_size = load_image_size(filename_path, fdt, dt_size); | ||
37 | if (dt_file_load_size < 0) { | ||
38 | error_report("Unable to open device tree file '%s'", | ||
39 | filename_path); | ||
40 | -- | ||
41 | 2.7.4 | ||
42 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch new file mode 100644 index 0000000000..d01e874473 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 065e6298a75164b4347682b63381dbe752c2b156 Mon Sep 17 00:00:00 2001 | ||
2 | From: Markus Armbruster <armbru@redhat.com> | ||
3 | Date: Tue, 9 Apr 2019 19:40:18 +0200 | ||
4 | Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree() | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the | ||
10 | computation of @dt_size overflows to a negative number, which then | ||
11 | gets converted to a very large size_t for g_malloc0() and | ||
12 | load_image_size(). In the (fortunately improbable) case g_malloc0() | ||
13 | succeeds and load_image_size() survives, we'd assign the negative | ||
14 | number to *sizep. What that would do to the callers I can't say, but | ||
15 | it's unlikely to be good. | ||
16 | |||
17 | Fix by rejecting images whose size would overflow. | ||
18 | |||
19 | Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com> | ||
20 | Signed-off-by: Markus Armbruster <armbru@redhat.com> | ||
21 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
22 | Signed-off-by: Alistair Francis <alistair.francis@wdc.com> | ||
23 | Message-Id: <20190409174018.25798-1-armbru@redhat.com> | ||
24 | |||
25 | Upstream-Status: Backport | ||
26 | CVE: CVE-2018-20815 | ||
27 | affects <= 3.0.1 | ||
28 | |||
29 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
30 | |||
31 | --- | ||
32 | device_tree.c | 4 ++++ | ||
33 | 1 file changed, 4 insertions(+) | ||
34 | |||
35 | diff --git a/device_tree.c b/device_tree.c | ||
36 | index 296278e..f8b46b3 100644 | ||
37 | --- a/device_tree.c | ||
38 | +++ b/device_tree.c | ||
39 | @@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep) | ||
40 | filename_path); | ||
41 | goto fail; | ||
42 | } | ||
43 | + if (dt_size > INT_MAX / 2 - 10000) { | ||
44 | + error_report("Device tree file '%s' is too large", filename_path); | ||
45 | + goto fail; | ||
46 | + } | ||
47 | |||
48 | /* Expand to 2x size to give enough room for manipulation. */ | ||
49 | dt_size += 10000; | ||
50 | -- | ||
51 | 2.7.4 | ||
52 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch new file mode 100644 index 0000000000..7f8300672b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001 | ||
2 | From: William Bowling <will@wbowling.info> | ||
3 | Date: Fri, 1 Mar 2019 21:45:56 +0000 | ||
4 | Subject: [PATCH 1/1] slirp: check sscanf result when emulating ident | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | When emulating ident in tcp_emu, if the strchr checks passed but the | ||
10 | sscanf check failed, two uninitialized variables would be copied and | ||
11 | sent in the reply, so move this code inside the if(sscanf()) clause. | ||
12 | |||
13 | Signed-off-by: William Bowling <will@wbowling.info> | ||
14 | Cc: qemu-stable@nongnu.org | ||
15 | Cc: secalert@redhat.com | ||
16 | Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info> | ||
17 | Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> | ||
18 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d3222975c7d6cda9e25809dea05241188457b113;hp=6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8 | ||
22 | CVE: CVE-2019-9824 | ||
23 | affects < 4.0.0 | ||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | Index: qemu-3.0.0/slirp/tcp_subr.c | ||
27 | =================================================================== | ||
28 | --- qemu-3.0.0.orig/slirp/tcp_subr.c | ||
29 | +++ qemu-3.0.0/slirp/tcp_subr.c | ||
30 | @@ -662,12 +662,12 @@ tcp_emu(struct socket *so, struct mbuf * | ||
31 | break; | ||
32 | } | ||
33 | } | ||
34 | + so_rcv->sb_cc = snprintf(so_rcv->sb_data, | ||
35 | + so_rcv->sb_datalen, | ||
36 | + "%d,%d\r\n", n1, n2); | ||
37 | + so_rcv->sb_rptr = so_rcv->sb_data; | ||
38 | + so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; | ||
39 | } | ||
40 | - so_rcv->sb_cc = snprintf(so_rcv->sb_data, | ||
41 | - so_rcv->sb_datalen, | ||
42 | - "%d,%d\r\n", n1, n2); | ||
43 | - so_rcv->sb_rptr = so_rcv->sb_data; | ||
44 | - so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; | ||
45 | } | ||
46 | m_free(m); | ||
47 | return 0; | ||
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb index 63a6468acd..b591cc244b 100644 --- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb | |||
@@ -32,6 +32,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
32 | file://CVE-2018-19364_p2.patch \ | 32 | file://CVE-2018-19364_p2.patch \ |
33 | file://CVE-2018-19489.patch \ | 33 | file://CVE-2018-19489.patch \ |
34 | file://CVE-2019-12155.patch \ | 34 | file://CVE-2019-12155.patch \ |
35 | file://CVE-2018-20815_p1.patch \ | ||
36 | file://CVE-2018-20815_p2.patch \ | ||
37 | file://CVE-2019-9824.patch \ | ||
35 | " | 38 | " |
36 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 39 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
37 | 40 | ||